While oversight of third-party relationships has long been a point of emphasis for regulatory bodies like the OCC and FDIC, the CFPB is generating a renewed focus on vendor oversight compliance, following a series of rule announcements and a massive enforcement action of Capital One. The leading card company was fined over $200 million by the CFPB for failure to adequately monitor a third-party vendor who sold add-on products. This and other fines demonstrate that the federal watch-dog will indeed hold banks accountable for the sins of their vendors. There’s more at stake here than just reputation. Along with these fines come strategic risk, compliance risk, transaction risk, credit risk, future customer growth and profitability risk. At this point many are asking, “What is the best way to ensure third-party vendors are compliant?”.
One thing is for certain; banks are in need of a more efficient and transparent means of reviewing and managing the mountain of paperwork that accompanies vendor audits which will surely increase in frequency and significance. In the past the answer was probably to keep some sort of a document check list. You’d make sure you would obtain a copy of vendor policies and practices. You would confirm licensing. You would review monthly vendor “touches” (or perform quality assessment). Each year you’d conduct an annual business review and “score” findings. You would hold information security audits, likely involving lengthy questionnaire, site visits, etc. Now, while this is a great list (and also a lot of audit paperwork), the bottom line is that if it isn’t provable, it isn’t worth much.
So how do we prove we’ve gathered what we need and how do we manage it? Some choose to continue the manual effort, by throwing more compliance FTE at the problem. They add staff and more staff at it. Unfortunately, with new staff, comes the need to create new structures and to add more checks/balances. As you add more checks and balances it means you need to identify new vulnerabilities, which means creating structures for escalation handling and remediation.
Another solution is some type of eFile cabinet. With this option you develop the same checks and balances that you would in the manual process, which you then will typically just scan and upload into something like a SharePoint solution. So really uploading documents is the only step that is automated.
As we talk to those in the industry working through this dilemma, we’re hearing that more and more often the staffing increases needed aren’t available and when you do get it, you need to create more manual processes (which are error prone and harder to have provability). In this day in age we’re being asked, or more so required, to prove zero defects, which practically demands automation.
It seems that the CFPB is asking for you to have some sort of comprehensive compliance management overall system and within that they want a vendor compliance management system capability. This capability should ideally be able to upload documents and capture necessary details and data about the vendor, their policies, procedures, legal documents, and training material. It should have a formal policy assessment process where you can identify outliers and see examples of remediation needed for follow up. It should demonstrate control over the remediation process as you show the number, type, and age of open issues. It should have an automated evaluation of business rules, drive reporting options, exception handling, escalation, and remediation work steps subsequently creating feedback enabling optimization. Also, there should be email alerts and executive dashboards that shine light on areas of exposure.
As far as managing 3rd party vendors in collections specifically, you want to have the same operational controls you have at the agency level that you have in your own operations. You want to account for and control their strategy with respect to contacts in all forms of communication. Consistency and fairness in offers made should be evident and demonstrated through disparate impact testing and controls. There should be control of complaint tracking, reporting, and remediation. Contact compliance rules, especially state and jurisdiction level controls for TCPA, should be controlled. You should have enhanced business process management for hot-button issues like SCRA and UDAAP and there should be dynamic management of ever-changing disclosures and legal notifications.
No comments:
Post a Comment